Sanae BEKKAR – My Blog –

I  introduce you to the OWSM-based policy framework, how it  provides security as a service, and how to implement it in your infrastructure  in a step-by-step fashion :

For instance, OWSM has policies supporting :

– Security Assertion Markup Language (SAML) token profiles,

-Kerberos,

-Web Service Security (WSS) 1.0/1.1,

-and Secure Socket Layer (SSL),

allowing you to easily attach policies for security, auditing, and management of components, services, and references in a composite as well as any standalone web services deployed to the infrastructure.

The policy framework is built using the Web Services Policy (WS-Policy) standard wherein each policy describes the capabilities and requirements of a service such as whether and how a message must be secured, whether and how a message must be delivered reliably, and so on.

Oracle SOA Suite 11g has support for the following types of security policies:

• WS-Reliable Messaging: These policies implement the WS-RM standard over a wire-level protocol that allows guaranteed delivery of SOAP  messages and can maintain the order of sequence in which a set of  messages are delivered.

• Management: Management policies log request, response, and fault messages to a message log. Management policies may include custom policies and are useful to audit security implementations.

• WS-Addressing: These policies verify that SOAP messages include addressing headers to propagate conversation tokens. Transport level data is included in the SOAP header rather than relying on the network level transport to convey this information.

• Security: Security policies implement WS-Security 1.0 and 1.1 standards by enforcing message protection (message integrity and confidentiality), authentication, and authorization of service requesters and providers. They also support a range of token profiles including but not limited to username tokens, X.509 certificates, Kerberos tickets, and SAML-based assertions.

• Message Transmission Optimization Mechanism (MTOM): These policies enable binary and streamed content, such as an image in JPEG format to be passed between clients and services.

OWSM uses a pipeline interceptor to execute different categories of policies in a predefined order for the request and response messages.

There is a central Policy Manager application embedded in an application server to distribute policy enforcement tasks to OWSM agents. If the policy assertions are successful, the web service client and the invoked service are allowed to communicate.